unable to add certificates to alpine linux container
Solution 1
I think below worked for me (I was adding a root certificate on blackfire/blackfire image which extends from alpine):
RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/* \
mkdir /usr/local/share/ca-certificates/extra
COPY .docker/other/cert_Intertrials-CA.crt /usr/local/share/ca-certificates/extra
RUN update-ca-certificates
I then logged into that VM and see it has added it to the merged cert file, /etc/ssl/certs/ca-certificates.crt (I believe i heard it takes each cert file from inside /usr/local/share/ca-certificates and merges into the /etc/ssl/certs/ca-certificates.crt file).
Now you will get that 'does not contain exactly one certificate or CRL: skipping' error probably, but i heard that is fine.
https://github.com/gliderlabs/docker-alpine/issues/30 mentions: "that this is just a warning and shouldn't affect anything."
https://github.com/gliderlabs/docker-alpine/issues/52
mentions:
"The WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping is just what it says it is, a warning. It is saying that ca-certificates.crt doesn't contain only one certificate (because it is the concatenation of all the certificates), therefore it is skipped and not included in ca-certificates.crt (since it cannot include itself)."
"The warning shown is normal."
Solution 2
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-mykey.pem.pem does not contain exactly one certificate or CRL: skipping
OP mentioned two warnings, which includes the pem file to be added. Only the first warning can be ignored. The second warning is caused by the pem file containing more than one certificate, which is entirely valid but handled poorly by update-ca-certificates
.
Instead, you can append the cert file's contents directly:
cat ca-cert-mykey.pem.pem >> /etc/ssl/certs/ca-certificates.crt
Another use case for CI config:
echo "$ADDITIONAL_CA_CERT_BUNDLE" >> /etc/ssl/certs/ca-certificates.crt
Solution 3
In my case, I had to execute the update-ca-certificates
before add any package. But it fails if the /etc/ssl/certs/
doesn't exists.
So, I add RUN mkdir -p /etc/ssl/certs/ && update-ca-certificates
on my Dockerfile before the RUN apk add ...
.
Related videos on Youtube
Comments
-
Gil Zellner almost 2 years
I have a small python app inside an alpine linux container, here is the dockerfile:
FROM alpine # basic flask environment RUN apk add --no-cache bash git nginx uwsgi uwsgi-python py2-pip \ && pip2 install --upgrade pip \ && pip2 install flask # application folder ENV APP_DIR /app ENV FLASK_APP app.py # app dir RUN mkdir ${APP_DIR} \ && chown -R nginx:nginx ${APP_DIR} \ && chmod 777 /run/ -R \ && chmod 777 /root/ -R VOLUME [${APP_DIR}] WORKDIR ${APP_DIR} # copy config files into filesystem COPY nginx.conf /etc/nginx/nginx.conf COPY app.ini /app.ini COPY entrypoint.sh /entrypoint.sh RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/* COPY ./cert.pem /usr/local/share/ca-certificates/mycert.pem COPY ./key.pem /usr/local/share/ca-certificates/mykey.pem COPY ./ssl_password_file.pass /etc/keys/global.pass RUN update-ca-certificates COPY . /app WORKDIR /app RUN pip install -r requirements.txt EXPOSE 5000 ENTRYPOINT ["/entrypoint.sh"]
This worked fine 2 weeks ago, but when i tried to rebuild it recently i got this error:
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping WARNING: ca-cert-mykey.pem.pem does not contain exactly one certificate or CRL: skipping
so I checked those files, and found that for some reason, now the file ca-certificates.crt now has a chain of certificates. I found this on stack overflow:
/etc/ssl/certs/ca-certificates.crt is actually appending each individual cert from /usr/local/share/ca-certificates.
but what changed? why is this now a problem? So i tried reverting to an older version of alpine linux - same problem. I tried recreating the certificates, I tried removing a whole bunch of certificates from the container, I checked the pem files before the update to make sure they are only a single certificate, and apparently directly after running
RUN update-ca-certificates
many certificates appear. help ?
-
bodo over 3 yearsThis does not work in alpine linux according to my experience. As stated here, you must not put your custom cert files in a sub-directory of
/usr/local/share/ca-certificates
. -
armyofda12mnkeys over 3 yearsNot sure, worked for me and got 12 upvotes so far. Maybe people are just slightly modifying my COPY step (by removing extra/) to: COPY .docker/other/YOURCERT.crt /usr/local/share/ca-certificates/
-
bedla.czech about 3 yearsI can confirm (for me) that, on current alpine, certificate have to be added to
/usr/local/share/ca-certificates
not to/usr/local/share/ca-certificates/extra
directory. -
Marian Klühspies about 3 yearsIt seems it depends on the version of your distribution. Using doptopenjdk/openjdk11:alpine-jre now, its mandatory. I´ve used anapsix/alpine-java:8u192b12_server-jre before and it was enough to copy the cert to /usr/local/share/ca-certificates/
-
vladkras about 3 yearsit's not just a warning for Alpine 3.13, this doesn't work
-
Cameron Hudson over 2 years@vladkras It works in alpine 3.11, but broke in 3.12.